Question
How do I capture and block embedded hyperlinks that have executables?
Answer
You can use a message filter to scan the body and any HTML attachments. Usually, these emails come in via HTML emails. In order for the scanning engine to detect it, you must use the body-contains condition. If you only process outbound mail, then you can use 'only-body-contains' condition.
The following message filter will look for any length hyperlink that ends with an executable. Once the condition is met, two actions will activate. The first action will be to notify the local administrator by sending an email to admin@example.com.
The second will be a final action of dropping the email. The email does not need to be drop, but instead can be quarantined. Removing the action below of 'drop();' can be replaced with the action of 'quarantine('Policy');'.
The quarantine must be defined, otherwise the filter engine will not allow the filter. You can either use the default Policy quarantine, or create your own quarantine (please refer to quarantines in the manual to create or delete quarantines).
Block_exe_urls: if body-contains("://\\S*\\.exe(\\s|\\b|$)")
{
notify ("admin@example.com");
drop();
}
You can also use this version that removed the bad URLs from the body and replaced them with URL REMOVED.
remove_exe_urls: if body-contains("://\\S*\\.exe(\\s|\\b|$)")
{
edit-body-text("://\\S*\\.exe(\\s|\\b|$)", "URL REMOVED");
}
For detail instructions on how to enter a message filter, please review How do I add a new message filter to my Cisco IronPort Appliance?
Please refer to the Cisco ESA AsyncOS ADVANCED USER GUIDE for Email Security Appliances section called Policy enforcement to review message filters.
Feedback